[judge2020]

Sure, but you never want to be US public enemy number 1. Any large-scale attacks on these big DCs themselves would be treated as national security threats/terrorist attacks since, as laid out here, a large chunk of the US economy is reliant on us-east-1. No matter how much money you get, you'd have to be in Russia and sponsored by the state itself to carry out these attacks if you wanted to remain free for longer than a few months (in which it could be considered an act of war).

I guess the best way to do this without attempting a total shutdown of the dc (while still making off with $xx millions) would be to select a thousand customers, encrypt the hard drives that make up their data redundancy (live, backup, and sharded copies of the data), then ransom that. The only way this doesn't work is if they have all of it in a tape backup, but depending on how much you encrypt, that might be impractical for them to restore if it would cause significant downtime for those customers - and that could be mitigated by selecting petabytes of super-recent data that likely hasn't been backed up to tape yet.

[PeterisP]

Some of the ransomware actors would not be afraid of being labeled "US public enemy number 1" - for example, North Korea is running some operations, and they would really like to extract a hefty ransom in addition to hurting USA as Amazon's revenue is something like 10x the North Korean GDP.

[judge2020]

That would be a declaration of war, which is why ransomware by some cash-strapped group of hackers is generally not an attack vector, given taking us-east-1 offline being seen as terrorism and the resources the US would dedicate to bringing such actors to justice. It'll always be easier to attack random medium-large companies' office ops, which are likely manned by 0 or underskilled IT security personnel (at least in current_year). Even for some place like Russia, the attackers would either need to be state-sponsored or Russia would avoid war by performing the rare non-treaty-bound extradition.

[PeterisP]

I specifically used NK as an example because it is already doing ransomware attacks (though not on the same scale) and while perhaps it might technically/legally be treated as "declaration of war", it is obviously not being treated that way. This would not be a novel thing, this be more of the same, just a bit larger target and larger impact. You could also look at all the other cases of state-sponsored malware causing damage; while technically those might be considered as an act of war, the precedent is that none of the cases have ever been treated by the victimized countries as such in practice. E.g. perhaps Iran complained about Stuxnet diplomatically, but it's not something that escalated to "kinetic action".

And even if it would, so what? It's not like USA is lacking some casus belli to attack NK; the major factors of whether some military action is worthwhile or not would stay the same after such a hack. This would work to deter Russia, who wants to be integrated in trade, but countries which already are isolated and/or already treated as hostile (for example, Iran) wouldn't care; if USA wanted a war there, then refraining from such a hack would not prevent it, and if USA doesn't consider a war there as profitable, then doing some hacks would not be treated as a larger threat than e.g. nuclear weapons development, so it wouldn't even be a significant escalation in the current bad relationships.